CVE-2025-60349 is a denial of service (DoS) vulnerability discovered in Prevx version 3.0.5.220, specifically in the kernel-mode driver pxscan.sys. The vulnerability arises from the driver's improper handling of a particular IOCTL (Input Output Control) code 0x22E044. When an attacker sends this IOCTL code to the driver, it triggers termination of any processes listed under the Windows registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files. This registry key presumably contains file paths or process identifiers that the driver monitors or protects. By terminating these processes, the attacker can disrupt the normal operation of the system, potentially disabling security or monitoring services that rely on these processes. The attack vector does not require authentication or user interaction, making it accessible to local attackers or potentially remote attackers with the ability to send IOCTL requests to the driver. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability affects systems running the specified Prevx version with the vulnerable driver installed. Since the driver operates at the kernel level, exploitation can cause significant system instability or denial of service, impacting system availability and potentially security posture.

For European organizations, the primary impact of CVE-2025-60349 is the potential denial of service caused by forced termination of critical processes managed by the Prevx driver. This can lead to disruption of endpoint protection or other security monitoring services, increasing the risk of undetected attacks or system compromise. Organizations relying on Prevx for malware detection or system integrity monitoring may experience reduced security effectiveness and operational downtime. Critical infrastructure sectors, financial institutions, and government agencies using this software could face increased risk of service outages or security gaps. The vulnerability could also be leveraged as part of a multi-stage attack to disable defenses before further exploitation. Although no known exploits are currently in the wild, the ease of triggering the vulnerability without authentication increases the risk of future exploitation. The impact on confidentiality and integrity is indirect but availability impact is significant, potentially affecting business continuity and compliance with security regulations such as GDPR if security controls are impaired.

1. Immediately restrict access to the vulnerable driver interface by enforcing strict permissions on device objects associated with pxscan.sys to prevent unauthorized IOCTL calls. 2. Monitor system logs and registry keys related to Prevx for unusual process terminations or IOCTL activity indicative of exploitation attempts. 3. Engage with the Prevx vendor or support channels to obtain patches or updated driver versions that address this vulnerability. 4. If patching is not immediately available, consider disabling or uninstalling the vulnerable Prevx driver where feasible, especially on non-critical systems. 5. Implement host-based intrusion detection systems (HIDS) to detect anomalous IOCTL requests or process terminations. 6. Conduct regular endpoint security audits to ensure that critical processes are protected and that fallback security controls are in place. 7. Educate system administrators about the vulnerability and the risks of unauthorized IOCTL access to kernel drivers. 8. Use application whitelisting and least privilege principles to limit the ability of attackers to execute code that could trigger the vulnerability.